Cloud Hacking: flAWS2 — Lv. 2
After completing level one, we will now attempt to tackle the challenges of level 2.
When we click on the link above, we are immediately greeted by a pop-up requesting credentials. However, we do not know the username and password.
Because we know that both level 1 and level 2 are on the same domain (flaws2.cloud), we will try using the access_key, secret_key, and session_token from level 1. Please note that I refreshed the page, so these three have changed.
After entering those three into ~/.aws/configure, we execute the command.
sts
This command refers to the AWS Security Token Service (STS), which provides temporary, limited-privilege credentials for secure access to AWS resources.
get-caller-identity
This specific AWS CLI command fetches information about the caller’s identity. In other words, it retrieves details about the AWS account, user, or service making the request. This information typically includes the AWS account ID, principal ID, and ARN (Amazon Resource Name).
And voilà, we obtain the account ID.
From the challenge description, we know that the repository name is “level2,” so we will attempt to obtain its image tag.
ecr
This part of the command tells the AWS Command Line Interface (CLI) that we want to interact with Amazon Elastic Container Registry (ECR), a service for storing and managing Docker container images.
list-image
The list-images command is used to list the image IDs for a specified Amazon Elastic Container Registry (ECR) repository.
— registry-id
This is our account ID.
— region us-east-1
Specifies the AWS region, which is “us-east-1” in this case. ECR repositories are region-specific.
I include the region in the command because it’s not in the AWS credentials file.
After that, so we’ll try to get the login password from ECR and pipe it to log in to Docker on that particular container for the account.
get-login-password
This subcommand is used to retrieve an authentication token for logging into the ECR repository.
| (pipe character)
This is used to pass the output of the previous command (the authentication token) as input to the next command.
docker login
This is the Docker command used for authenticating with a Docker registry. In this case, it’s being used to log in to the ECR registry.
-u AWS
Specifies the username as “AWS.” Docker expects a username when logging in, but the actual authentication is done using the temporary token passed as the password.
— password-stdin
This flag tells Docker to read the password (authentication token) from the standard input, which is the output of the previous aws ecr get-login-password command.
653711331788.dkr.ecr.us-east-1.amazonaws.com
This is the URL of the ECR repository we want to log in to. It specifies the AWS account ID, the ECR domain, and the region-specific endpoint.
And there you go, we successfully log in.
After that, remember that the image tag is “latest,” so we then pull the image locally.
docker pull
This is the Docker command used to pull (download) a Docker container image from a registry or repository.
level2
This is the (repository) name of the Docker image we want to pull.
latest
This is a tag associated with the Docker image. In this case, it’s requesting the “latest” version of the image. Docker images can have multiple versions or tags, and “latest” typically represents the most recent version.
We then list the available images.
We can see in the response header that the web is running using the Nginx server.
So, we can try to find any file that has a password-like name.
And we found /etc/nginx/.htpasswd, which is a file used in the configuration of the Nginx web server to store usernames and their corresponding hashed passwords for authentication purposes.
Then we got the username, which is “flaws2,” but I cannot crack the hashed password, so we’ll try a different approach.
We can search the image’s history by running the following command:
docker history 2d73de35b781 — no-trunc | grep ‘flaws2'
This command will fetch the historical records related to ‘flaws2’ by piping the results into grep. And voilà, we have a history of action taken to set up the password for the ‘flaws2’ user.
FYI, the ‘ — no-trunc’ flag in the ‘docker history’ command is used to display the complete untruncated output of the image’s history.
And when we enter the username and password, we get the link to the next level (level 3).
So, we’ve gathered some important insights:
- Avoid making certain AWS services public unless we really need to. It’s usually safer to keep them private.
- Be careful with Docker image history, just like you would be with Git. Don’t accidentally share private info.
- If something doesn’t need to be public, keep it private. It’s the safest way.
